fxb6476/Disclosure

## Disclosure
[Vulnerability Description]
 - Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests
   that lack a 'Content-Length' header. The issue comes from the process_header_end() function, which
   calls boa_atoi(), which ultimately calls aoti() on a null pointer.


[Additional Information]
 - The Hydra web server is widely used by embedded networking equipment, such as switches, and embedded devices in general.
   Because of this fact, it is very difficult to specify device models or vendors that may be impacted by this vulnerability.
   Rudimentary scans using Shodan show over 8,000 devices registered broadcasting the "Hydra v0.1.8" server, open to the
   world.

 - The Hydra web site explains:

   "Hydra, is a modification of Boa web server, which supports multiple threads of execution, and has more features.
   Boa is a high performance web server for Unix-alike computers, covered by the Gnu General Public License.
   Hydra was based on Boa version 0.94.13."

   Hydra v0.1.8 source code -> http://hydra.hellug.gr/download/ last update was in 2006.

 - Overview:

   Hydra added additional code to Boa's process_header_end() function. The additional code makes a call to the boa_atoi()
   function with req->content_length variable as an argument.

   The value of req->content_length is supposed to be set by the function process_option_line(), which sets it
   to the numerical value after the 'Content-Length: ' header. However, if the 'Content-Length' header is omitted
   from the POST request, the value of req->content_length remains NULL.

   Finally, after the call to process_option_line(), read.c makes a call to the process_header_end() function.
   The additional code added by Hydra in process_head_end(), then makes an unchecked call to boa_atoi() passing
   req->content_length as a parameter, which is NULL. Inside boa_atoi() the atoi() function is called as follows,
   atoi(req->content_length) -> atoi(NULL). This results in the segment fault exception being thrown, and the Hydra
   daemon crashing.

 - Proof Of Concept:
   --># curl http://<server-ip>/<dir-to-cgi>/<cgi-script -X POST
   (By default CURL will not add the 'Content-Length' header if data is not passed.)


[Vulnerability Type 'Other']
 - Null Pointer Reference -> Segment Fault


[Vendor of Product]
 - (OpenSource) Hydra Web Server, fork of boa webserver 0.94.13


[Affected Product Code Base]
 - http://hydra.hellug.gr/download/
 - Personal clone of Hydra v0.1.8 -> https://github.com/fxb6476/Hydra-v0.1.8


[Affected Componenet]
 - request.c, read.c, util.c, all contribute to the vulnerability.


[Attack Type]
 - Local if the web server is only visible on the local network.
   Remote if the web server is visible to the internet.


[Impact on Component]
 - Denial of Service


[Discoverer]
 - Felix Blanco, Marshall Hallenbeck, Justin Bacco, Datto Inc.


[Reference]
 - https://github.com/fxb6476/Hydra-v0.1.8 -> Hydra v0.1.8 clone
 - http://hydra.hellug.gr/download/ -> Hydra v0.1.8 original source code download
	[Vulnerability Description]
	- Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests
	that lack a 'Content-Length' header. The issue comes from the process_header_end() function, which
	calls boa_atoi(), which ultimately calls aoti() on a null pointer.


	[Additional Information]
	- The Hydra web server is widely used by embedded networking equipment, such as switches, and embedded devices in general.
	Because of this fact, it is very difficult to specify device models or vendors that may be impacted by this vulnerability.
	Rudimentary scans using Shodan show over 8,000 devices registered broadcasting the "Hydra v0.1.8" server, open to the
	world.

	- The Hydra web site explains:

	"Hydra, is a modification of Boa web server, which supports multiple threads of execution, and has more features.
	Boa is a high performance web server for Unix-alike computers, covered by the Gnu General Public License.
	Hydra was based on Boa version 0.94.13."

	Hydra v0.1.8 source code -> http://hydra.hellug.gr/download/ last update was in 2006.

	- Overview:

	Hydra added additional code to Boa's process_header_end() function. The additional code makes a call to the boa_atoi()
	function with req->content_length variable as an argument.

	The value of req->content_length is supposed to be set by the function process_option_line(), which sets it
	to the numerical value after the 'Content-Length: ' header. However, if the 'Content-Length' header is omitted
	from the POST request, the value of req->content_length remains NULL.

	Finally, after the call to process_option_line(), read.c makes a call to the process_header_end() function.
	The additional code added by Hydra in process_head_end(), then makes an unchecked call to boa_atoi() passing
	req->content_length as a parameter, which is NULL. Inside boa_atoi() the atoi() function is called as follows,
	atoi(req->content_length) -> atoi(NULL). This results in the segment fault exception being thrown, and the Hydra
	daemon crashing.

	- Proof Of Concept:
	--># curl http://<server-ip>/<dir-to-cgi>/<cgi-script -X POST
	(By default CURL will not add the 'Content-Length' header if data is not passed.)


	[Vulnerability Type 'Other']
	- Null Pointer Reference -> Segment Fault


	[Vendor of Product]
	- (OpenSource) Hydra Web Server, fork of boa webserver 0.94.13


	[Affected Product Code Base]
	- http://hydra.hellug.gr/download/
	- Personal clone of Hydra v0.1.8 -> https://github.com/fxb6476/Hydra-v0.1.8


	[Affected Componenet]
	- request.c, read.c, util.c, all contribute to the vulnerability.


	[Attack Type]
	- Local if the web server is only visible on the local network.
	Remote if the web server is visible to the internet.


	[Impact on Component]
	- Denial of Service


	[Discoverer]
	- Felix Blanco, Marshall Hallenbeck, Justin Bacco, Datto Inc.


	[Reference]
	- https://github.com/fxb6476/Hydra-v0.1.8 -> Hydra v0.1.8 clone
	- http://hydra.hellug.gr/download/ -> Hydra v0.1.8 original source code download